By Max J. Rudolph, FSA CFA CERA MAAA
This is an excerpt from a paper that was submitted to the North American CRO Council 2013 Call for Papers on October 11, 2013.
Enterprise risk management can be an exercise in adding value or simply another in a long list of buzz words popular with directors, investors and rating agencies. It may even be seen as a roadblock and interventionist tool by company management. An appropriate balance must be maintained. What is the right mix of constraints versus growth, qualitative versus quantitative analysis, and short versus long time horizons? These are all questions that the successful ERM process must resolve to build transparency around all risks and build firm resilience.
Company resources are tight, and ERM is viewed by some simply as a cost. In the annual Survey of Emerging Risks that I author we continually find more being asked of risk managers, but without commensurate resources being added. Risk culture is the driver here. Where risk is embedded in a firm, both top-down and bottom-up, it is recognized that better decisions are made by considering all types of risks.
Unfortunately many Risk Departments are set up to fail by focusing entirely on constraints, being able to stop a project but not being viewed as a partner who understands how risks aggregate and interact to increase returns. The prior reputation of the risk team predetermines its success, and this is driven from the top. If senior management involves the risk team early in new product development, for example, they are able to suggest adjustments that may lead to a more stable product or provide an internal hedge against a product sold in another part of the company. If the CEO (Chief Executive Officer) views the risk team as a cost center then they will not be successful.
Each company must integrate the risk team into an existing organizational chart based on the underlying risk culture. At some companies the primary risks, typically at manufacturing or service focused firms, can be covered by insurance. The Chief Risk Officer (CRO) becomes a coordinator who seeks out competitive rates and coordinates insurer expertise with in-house risk mitigation. In this situation the CRO might report to the Chief Financial Officer (CFO) or Treasurer and be a low level officer or high level manager. The position rarely gets involved in strategic planning discussions and reports to the board are generally canned and informational, covering tactical plans and recent results. Key risk indicators typically provide lagging data.
Small firms will likely add the CRO duties, and sometimes the title, to the CFO as he is the primary provider of oversight at such firms. Reports to the board are part of normal financial disclosures and can incorporate strategic topics. Key risk indicators provide lagging information but can incorporate leading indicators as well.
Many larger financial firms, with higher levels of financial risk relative to operational risk, have a CRO position that reports to the board, with a dotted line to someone on the senior management team. This position often focuses on data collection and board presentations designed mostly to make the board able to say they have considered risks, or they can be a key management team member that engages the board to understand how the firm’s risk profile is evolving and the potential implications. Done right the focus is on leading risk indicators and brainstorming between areas. This has added benefits of oversight and succession planning.
Unfortunately, many firms rely primarily on quantitative data collected from experts in the business units rather than filling the risk team with business experts and experienced practitioners who can qualitatively question specific practices before they get out of control.
Large firms have an additional hurdle as they tend to be bureaucracies, and those who rise through the ranks have often avoided stressful challenges rather than acting as providers of useful contrarian advice. A small firm may have better risk management practices because the CRO has business experience that drives qualitative analysis rather than an overreliance on quantitative models. The largest companies tend to fall into a trap where complex models are developed and the shortcomings of those models are ignored or included in small print as a footnote. While quantitative analysis is important, everything that counts can’t be counted.
Best practice org chart: firms that want to improve their decision making should segment their risk management team between data collectors, where a consistent ERM process is developed and implemented, and strategic planning. The CRO should manage the planning process, making sure that consistent assumptions and models are input to consistent models. Interactions between areas, transparency and concentration risk should be considered. This position should report directly to the CEO, and perhaps not to the board, and be the primary source of common sense oversight to the management team. This natural skeptic must be protected politically by the CEO or it won’t work. Interestingly, this role could be filled externally by a consultant who provides honest feedback. Many firms will place employees with this type of expertise in senior management roles running a line or as CFO.
©2013 Rudolph Financial Consulting, LLC
The remainder of this essay is available here.